SNMP vulnerability research reaches deeper

By
06.14.2002 :: 9:27AM EST

Research which led to the discovery of an SNMP vulnerability in February that affected over 200 vendors revealed a much more startling vulnerability in the protocol, used heavily in telephone and electrical systems, as well as being implemented in the next generation of aviation traffic monitoring systems. Dubbed Abstract Syntax Notation One (ASN.1), this protocol is vulnerable to attack in much the same manner as much software and operating systems are today: buffer overflow with illegal data. The Oulu University Secure Programming Group in Finland, which specifically targeted SNMP vulnerabilities, was also able to manipulate ASN.1 by flinging unexpected data at implementations of the protocol, noting when and how it broke.

ASN.1 is the foundation on which SNMP was built, making this a huge concern not only to CERT (Computer Emergency Response Team), but also to Cyber Security Advisor Richard Clark and Howard Schmidt, Vice Chairman of the Critical Infrastructure Protection Board, both of whom briefed the President on the vulnerability. Being advised by President Bush to immediately assess the susceptibility of government networks to attacks using the ASN.1 protocol vulnerability, Clark and Schmidt created a “Cyber Interagency Working Group” whose initial full-time task is to identify affected systems, gathering information such as “system name, system owner, type of system, vendor, name and version of the operating system, what patches are installed, and so forth.” According to a source involved in the project, this is a large effort.

ASN.1, an internationally recognized standard for coding and transmitting complex data structures, was developed in 1984, and is used by such networks as SS7 (the network used for routing phone calls), package tracking, credit card verification, and digital certificates. Electric transformers and substations are also controlled remotely using this same protocol. Two of the chief causes for buffer overflow flaws in the protocol have nothing to do with ASN.1 itself, but the fact that the programmers never coded against receiving illegal data. Some compilers inherently create the flaw when they compile code, causing any programs they create to be affected. The other cause, attributed to borrowed code, is exacerbated because this code is not checked for vulnerabilities due to its relative obscurity.

Although rules can be implemented in firewalls to defend against the vulnerability, experts say that these are merely band-aids, and that every implementation of the protocol should be tested for holes.

The Aeronautical Telecommunication Network (ATN), a commercial aviation communications network, is heavily reliant on ASN.1, and must comply with the FAA's DO178B certification standards before deployment. An ATN systems spokesman stated he was not aware of any ASN.1 implementation issues, and that the system was to be deployed in the fall. Critical systems which have been identified as at risk rely on private networks, which create a small barrier for attackers. It is thought that those networks will have been subjected to much more thorough testing.

RON'S OPINION
Although this is a huge discovery (just as the SNMP find was), it seems that there is some time to rectify the flaw. The fact that the networks affected are mostly private (not connected to the Internet) suggests it is not as easy to compromise these systems. However, just as the SNMP implementations had to be patched, much work will have to be done to determine which implementations of ASN.1 are affected and need to be patched. It is also worth mentioning that the flaw is not within the protocol itself, but within the implementations of that protocol, where the programmers did not check for malformed data.

Much credit is owed to CERT for behind-the-scenes coordination with vendors to patch the SNMP vulnerability, and it is thought that the ASN.1 patches, if coordinated in the same manner, will be applied quickly and quietly, before they are compromised. In my estimation, this is a positive example of how our government agencies can work together to solve a problem.

USER COMMENTS 5 comment(s)

Problem? What problem?(9:42am EST Fri Jun 14 2002)There is no problem, nothing to see here…

I bet nothing major gets done to patch this hole either… – by nosebreaker.com

ya know(10:58am EST Fri Jun 14 2002)As I read this article, I realized just how easy it is to fix stuff like this.

I know some languages may be more difficult than others, but good programmers are going to look for ways to work around it. I remember when I use to write C code at a University. One of my biggest efforts was in making sure the code didn't accept anything other than expected input. Even then, it was written to explicitly handle those inputs in the proper way.

At that time, scanf() had some issues, I don't remember exactly how I fixed it, but I made it work. I would have used gets(), but that function was illegal (in a programming sense) at the time. Later though, I did get the gets() function to work with the right code so that I could take in a string properly.

One of the problems with both, had to do with checking for chars, ints…. etc.

It took time to figure out, but once I got it working, the code was bulletproof. My professors also agreed – many of whom were former military crypto coders.

My point is that it can be done. It is all about knowing the code and working hard to make it work right.– by The Scavenger

Denial(11:29am EST Fri Jun 14 2002)“An ATN systems spokesman stated he was not aware of any ASN.1 implementation issues, and that the system was to be deployed in the fall.”

Deny the problem until it becomes a PR issue. Sounds like MicroSoft. (No flame war please.) – by NewGeek

Not denial(2:06pm EST Fri Jun 14 2002)The ATN systems spokesman is probably not denying the problem but rather, is completely oblivious to it. They haven't a clue. Some people will get fired and then the problem will never get solved.

Someday the whole system will get replaced with something else which will have flaws but it'll take a while for them to be discovered and the cycle continues…. – by PRFunky